CVE-2026-56385

Name of the Vulnerable Software and Affected Versions Craft CMS versions 5.0.0-RC1 through 5.9.13 Craft CMS versions 4.0.0-RC1 through 4.17.7

Description An authorization bypass exists in the 'assets/preview-file' endpoint. The system fails to enforce per-asset view authorization before returning preview content. This allows an authenticated low-privileged user to provide a controlled assetId for an asset they are not permitted to view and receive preview response data (previewHtml), which includes a private preview image route containing the target private assetId.

Recommendations Update Craft CMS versions 5.0.0-RC1 through 5.9.13 to version 5.9.14. Update Craft CMS versions 4.0.0-RC1 through 4.17.7 to version 4.17.8. As a temporary workaround, restrict access to the 'assets/preview-file' endpoint to authorized users only.